Further to the Defender AV Sample Submission process, we understand that the M365 Defender AIR (Automated Investigations and Response) service can also request files be sent for analysis based on telemetry it's correlated. When AIR requests a file be sent for Sample Submission, what is the logical flow between AIR and Defender AV for requesting and sending the suspicious file to the blob, and getting a response back? I.E: Does Defender AV send the sample, get a response and then inform the AIR service? Alternatively, does AIR request that Defender AV send the file for analysis, but AIR receives the response directly from the blob before instructing Defender AV to allow or block the file? If AIR gets notified directly, how is this handled with the anonymisation process of submitted files in the previous question? Is there any documentation on the data destruction process of samples held in the blobs following the Sample Submission of Cloud Delivered Protection?